Tuning the Wireless

CT examines the 6 biggest challenges to improving wireless service on campus--and learns how three schools are forging solutions.

Colleges and universities have got a big problem: how to bake a wireless network as good as Mom's. "That's the root of all the challenges," declares Eric Hawley, CIO of Utah State University. "I want a $2 million wireless network that's just as good as the cheap $40 one you run at home."

As Hawley sees it, the problem is that enterprise wireless networks "tend to be a little more finicky" than the home ones. "They tend to drop clients a little bit more than a home wireless network does," he explains. While the home devices are plug-and-play, enterprise networks force IT departments to manage client issues such as drivers and settings. It's a problem, furthermore, that vendors have not fully solved--no matter what some may say.

This story appeared in the August 2012 digital edition of Campus Technology.

So, with students showing up with expectations of ubiquitous wireless, schools are scrambling to implement a variety of strategies to give them what they want. CT looked at the six biggest challenges to providing a reliable wireless network on campus--and how schools are addressing them.

1) Placement of Access Points
As people move across campus, they expect their mobile devices to stay connected. The challenge facing schools is to eliminate any gaps in coverage that might result in dropped calls or choppy internet connections, and to provide enough coverage in high-traffic areas without causing signal interference.

Achieving this goal requires some form of site survey that examines the campus's layout and other physical aspects, such as the kind of building materials used in construction. Once the survey is complete, the IT department should know how many access points (APs) are needed; the kinds of antennas that should be used; where all this gear should be sited and in what density; and on which channel and power setting each AP should operate.

A physical site survey is the usual approach. At John Carroll University (OH), for example, a consultant used Fluke Networks' AirMagnet Survey to figure out where to place 800 Cisco 802.11n APs. The consultant "literally walked all of the different rooms in the distant corners," says Jim Burke, associate CIO.

Not everyone is a fan of the walk-through survey, though. In the view of Ryan Laus, network manager for Central Michigan University, such an approach is expensive and time-consuming. More important, he says, it isn't reliable.

"You're looking at a clean RF environment, without tons of people bringing in devices and polluting the air with signals," he explains. "When you throw some human bodies in there, your whole RF could be different."

Instead, when CMU places new Cisco APs--the school deployed 1,000 during an 18-month period starting in summer 2009--Laus employs utilities within Cisco's Wireless Control System and Network Control System. His team imports CAD drawings of buildings and then places APs on the map to show the strength of the signal.

"We have found that the maps are pretty accurate and we have been pretty happy with the results," he says. "We rarely have to go out and do a physical site survey."

But geographic surveys--whether virtual or physical--address only one aspect of the challenge. The biggest problem, says Mike Bestul, CIO of JCU, is keeping reliable coverage in areas where students congregate and use multiple devices. "The congregation places change depending on weather," he notes. "If we have a mild winter, we see more students outside. Therefore, we might need more coverage outside than we originally thought." To accommodate these vagaries, the university has purchased its own license to AirMagnet, allowing it to continually tweak its AP placements.

Utah State has taken a completely different tack. The school deployed a wireless system from Meru Networks that utilizes a proprietary virtual cell technology that provides coverage on a single channel without interference. Because of this, site surveys can be easy to conduct--and sometimes not required at all. Like every vendor solution on the market today, however, it's not a panacea. "[The technology] is exceptional and amazing for scaling and performance," says Hawley, but he acknowledges that it can have problems with legacy devices, such as Wii game consoles.

No Apple for This Teacher

When it comes to wireless, the company that for millions of Americans is the heartthrob of consumer electronics--Apple--does not engender the same kind of warm-and-fuzzy feelings among IT shops. In fact, says Eric Hawley, CIO of Utah State University, Apple is driving him crazy.

"[It doesn't] think about enterprise sustainability or how you can't get a broadcast protocol like Bonjour to scale to an institution that has 400 classrooms," he complains. "You don't want iPads popping up on AirPlay and somebody seeing a list of 400 projectors. It's not going to work. Plus, the broadcast traffic will start killing your network. Apple's protocols were never really built for that."

To address the problem, Hawley is researching Bonjour Gateway, a solution from Aerohive Networks, but he hasn't completed a serious evaluation yet.

2) Identity Management
Before the advent of mobile devices, it was a simple matter for IT to know who was doing what inside the firewall. When a problem surfaced, the computer could be booted off the network until the user played by the rules.

In a wireless environment, knowing who's who becomes a lot tougher, especially with students using multiple devices simultaneously. Some schools publish a self-service guide to registration, while others hold "connectivity days," where students bring their devices to IT for help in hooking into the network. Neither of these approaches is scalable or particularly user-friendly, though. A better approach is to automate the whole process using an identity-management mechanism. In this scenario, when users log in with their normal campus credentials, an identity management program assesses the security of their devices and brings them into compliance without IT intervention.

When users at CMU go onto the school network for the first time, for example, the institution's Bradford Networks network access control (NAC) system confines their access to a registration page where they must agree to terms. After they register their devices using their global IDs and passwords, the NAC system moves the devices into the production network, where users can access all the role-specific resources granted to them as students, staff members, or faculty.

The Bradford appliance uses a "dissolvable agent" that can run on Windows, Mac, and mobile devices. The agent enables the university to enforce security policies for viruses, service pack updates, and elevated privileges on individual clients, both wired and wireless. It's described as dissolvable because the agent runs once and then disappears from the device.

"We saw a huge decrease in the number of infected machines, better network performance, and happier users," reports Laus about the system. It also keeps IT abreast of which operating systems are gaining in popularity, what antivirus solutions are being run, and which kinds of users take up the most bandwidth.

Utah State has even managed to turn registration--often seen as a hassle--into a selling point. According to Hawley, registration is a "one-second process" that takes place for each device every 12 months. Users log in, click 'Register My Device,' and the system already knows their MAC address. More technical students are able to pick their own host names to run their personal servers and register and manage their own devices. "It's really cool because you can't do that with Comcast," insists Hawley. "You can't do that at home." This feature, together with the university's gigabit connectivity, is a persuasive marketing tool for on-campus housing.

3) Network Security
At this point, home-based WiFi is essentially a utility--it's assumed that a user can turn on a device, plug in an SSID key (not a particularly secure approach), and thereafter access the internet through that network. Students come to school expecting something similar, but such an approach doesn't work in an enterprise setting where network resources need to be protected. At home, a data breach would affect only the people who live at that address. At the college level, a data breach could affect hundreds of thousands of users and cost the institution a fortune--and its reputation.

For that reason, schools often run two levels of access: one for users to surf the internet and read e-mail, and a second to give users entry to network resources that require greater security. The challenge is to educate users about the differences between the two and to persuade them to go the more secure route.

At JCU, the secure portion of the network requires authentication via an Active Directory login. As an incentive to use it, users receive bandwidth that, according to Bestul, is a "little better" than the open network. Users also gain access to resources that aren't available on the open network, although in truth most students don't care about these.

JCU's two-level access is an evolution from an earlier policy that required students to register their computers and log in to gain any kind of WiFi access. The school opted to switch to a two-level system after students complained that the network was too tightly controlled. Even then, school administrators debated ways of pushing students to the secure side of the network.

"We did have some discussions among our consulting team and our staff about how to put this in place," Bestul recalls. "Should we force students to join the secured network by ratcheting down the open side of it to the point where it's virtually unusable? I personally think I made a wise decision by saying, 'No, let's not do that.'"

It was a conscious decision to forgo some security protections in favor of a more user-friendly system. As a result, most students do opt to stay on the open network. While IT can still shut students down via the Cisco firewall, says Bestul, "we don't really have a really good way of telling who they are."

It's a balancing act with which IT managers on campuses nationwide are all too familiar. Utah State and CMU also have a second tier of security, which requires authentication each time a user gets online, but neither IT organization is delighted with the results. The benefit is more privacy for the user, such as encryption of data passing over the network--and more security for the institution. But it's tougher to work with, too. For starters, users have to configure their devices for advanced encryption.

"This is where enterprise networks are just more complicated than the $40 stuff users have at home," notes Hawley. "You've got the whole certificate-management thing on enterprise networks, which is a nightmare from a usability standpoint."

4) Rogue Networks
It's a vicious cycle. Students and faculty, unhappy with their wireless connectivity, set up their own rogue wireless networks. In turn, these networks pollute the wireless signal on the existing network, further degrading system performance and leading even more students and faculty to go rogue. The challenge for schools is to stamp out these pirate networks, while simultaneously improving their own network so students won't feel the need to go outside the system.

Even if the university network is reliable, however, some students will inevitably want to set up their own networks in resident housing. "There's nothing inherently wrong with that," says Bestul. "But if it conflicts with your regular university-provided network, it can cause problems with all the other students down the hallway."

For a while, JCU's only solution was to send IT staff out to knock on doors, trying to ferret out the location of the rogue network. Then the university implemented Cisco's CleanAir, which provides visibility into the radio frequency spectrum to expose sources of interference. Now, IT can identify where bandwidth issues are taking place and where the network is being saturated with conflicting signals. IT still knocks on doors, but this time it can pinpoint the source of the problem. "Either we get students to shut their network down, or come up with some different channel or something of that nature, so that we get our own network back to the performance level where it needs to be," explains Bestul.

5) Privacy Protection
Mixing mobile devices and sensitive data is a disaster waiting to happen. All it takes is for a staff member to copy a file onto a flash drive, and then lose the device or leave it where somebody might find it. Suddenly, IT is in the hot seat performing mitigation work.

To address the problem, CMU uses a two-pronged approach. First, university policy forbids the copying of data onto mobile devices in departments that must be in compliance with the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) data-security standards.

Second, the school requires that all WiFi devices used to access HIPAA data run WPA2, a protocol specifically designed to require the use of stronger wireless encryption than the previous iteration of wireless security. And since a thumb drive can't run WPA2, it is unable to access the systems that carry HIPAA data. Active Directory is used to configure the wireless profile to enforce policy.

To further protect the data, CMU also requires that each machine go through a HIPAA-certification checklist. "Once the machine passes, we use our NAC system to put it on a protected [virtual network] that has access to the HIPAA data," explains Laus.

6) Lost Connections
Every campus seems to have at least one spot where no one can get wireless coverage--or the coverage is spotty at best. It might be a basement space converted into a student union; or a LEED structure with an advanced window coating that blocks RF signals; or a stadium where thousands of users simultaneously pull out their smartphones to share their feelings about the coach. Distributed antenna systems (DAS) are one approach that can help address the problem.

Theoretically, DAS supports WiFi and that other kind of wireless connection--cellular. The technology uses small antennas connected by fiber and working in arrays to carry voice and data traffic in a specific area. So why not put it everywhere? For a variety of reasons related to channel usage, antenna degradation, and signal collision, DAS is a better choice for gaps in cellular coverage than for picking up the slack in WiFi. Plus, as Utah State's Hawley declares, "It's crazy expensive!"

Some schools in populous areas have been able to cut deals with neutral brokers to fund construction of a DAS infrastructure. These brokers make their money back by turning around and selling wireless access to carriers such as AT&T and Verizon. For its part, the institution may be able to negotiate some kind of revenue-sharing deal, even as it achieves targeted improvements in WiFi coverage.

As an alternative, JCU is testing Wi-Ex zBoost Pro YXC-3500, a low-cost multicarrier amplifier. Bestul expects the zBoost to "work well in a few of our below-grade locations on campus," such as the dining hall and data center. These areas have non-exterior walls and lots of concrete, so cell coverage "has been spotty at best." The solution will cost a few thousand dollars: about $300 to $500 for the amplifier kit, and about $2,000 to run wiring for a roof-mounted antenna. "We've been told that it will work with most US cellular standards except for iDEN from Nextel and 4G," says Bestul.

Featured